Critical F5 BIG-IP flaw allows device takeover, patch ASAP! (CVE-2022-1388)
F5 Networks‘ BIG-IP multi-purpose networking devices/modules are vulnerable to unauthenticated remote code execution attacks via CVE-2022-1388.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” F5 warned yesterday.
About CVE-2022-1388
CVE-2022-1388 allows undisclosed requests to bypass iControl REST authentication – just like CVE-2021-22986, which has been patched in March 2021 and subsequently leveraged by attackers.
The vulnerability has been discovered internally by F5, and there’s currently no PoC exploit publicly available, but it’s just a matter of time until one pops up after attackers reverse-engineer the patch. Also, it should be noted that vulnerabilities affecting BIG-IP devices are often exploited by various hackers, including state-sponsored ones, so organizations might want to hurry up and patch.
F5 has released security updates plugging this and many other security holes that are not critical. For CVE-2022-1388, they also provided mitigation advice in case installing a fixed version is not possible, and it includes:
- Blocking iControl REST access through the self IP address
- Blocking iControl REST access through the management interface
- Modifying the BIG-IP httpd configuration
In general, not exposing BIG-IP’s management interface to the internet is good advice, though apparently not taken by many organizations: According to the results of Nate Warfield’s Shodan search, there are over 16,000 BIG-IP devices eposed on the internet out there.
According to F5 Networks, 48 of the Fortune 50 companies use BIG-IP networking devices/modules as server load balancers, access gateways, and application delivery controllers and firewalls, to manage and inspect network and application traffic. They are used by ISPs, telecommunications companies, big cloud service providers, and governments.
UPDATE (May 9, 2022, 03:38 a.m. ET):
Security researchers have created PoC exploits for CVE-2022-1388 and exploitation attemtps have already been detected.